This breakdown is available for paid subscribers. Only paid subscribers get regular full access to our breakdowns and other analyses. If you’re not already a paid subscriber, you can upgrade here.

On March 3, 2026, the FDA’s Center for Drug Evaluation and Research (CDER) issued three warning letters to very different operations:

• A domestic OTC manufacturer in Illinois.

• A German sterile drug facility producing for the U.S. market.

• A contract testing laboratory in India.

The inspections behind these letters took place between August and September 2025, and all three letters were posted publicly on March 10.

On their own, of couse each letter tells a site-specific story. Read together though, they tell a much bigger one. The pattern across them is unmistakable: The FDA isn’t just citing CGMP violations. It’s systematically rejecting the corrective action responses firms submitted after their 483s, and it’s doing so in pointed, detailed language that should concern anyone managing a quality system that runs CAPAs.

Let’s walk through what the FDA found, what connects these cases, and what the enforcement posture tells us about where things are headed.

Water and utility systems remain a top structural vulnerability

Two of the three letters center on water or utility system failures. This isn’t new. We’ve been writing about water as a recurring FDA target for years, but the specifics here are worth lingering on.

At the domestic OTC facility in Illinois, the water system consistently failed to meet chemical specifications. The performance qualification report itself contained extensive sampling data showing most samples didn’t meet USP standards, and the firm approved the qualification study anyway. Subsequent data collected over a two-year span (August 2023 through August 2025) showed that nearly all samples continued to fail. The firm used this water to manufacture finished drug products the entire time.

• The system also had known dead-legs, including at points of use in the production area. FDA recovered gram-negative organisms including Pseudomonas aeruginosa and Serratia marcescens from the system.

• The firm committed to stopping use of the system and purchasing water in the interim, but FDA found the response inadequate because it failed to address the quality unit’s prolonged inaction in the face of a long-standing pattern of failing results.

That last point is super important. The FDA didn’t just object to the bad water data. It objected to the quality unit watching the data fail for two years and doing nothing meaningful about it.

At the German sterile facility, cleaning use points associated with ISO 5 aseptic processing and RABS lines were fed through excessively long deadlegs from the utility loop. Between June 2023 and September 2025, routine testing at those cleaning use points produced at least 47 microbial recoveries, with 14 exceeding action limits.

Recovered organisms included Sphingomonas, Methylobacterium, Bradyrhizobium, and Ralstonia (gram-negative, biofilm-forming species that are exactly the kind of organisms you do not want anywhere near aseptic production).

Investigations at that site had already identified the piping design as the most likely root cause. But the CAPAs failed to comprehensively address the design deficiency. FDA’s letter makes clear that the firm’s response (committing to sanitization cycles and procedural changes) didn’t fix the fundamental problem: the pipes feeding their cleanrooms were insanitary by design.

Our auditors continue to see the same dynamic at sites across the industry.

• Water systems are designed or qualified once, and then the data tells a story that nobody wants to act on because the fix is expensive (repiping, system redesign, capital expenditure).

• Firms layer on procedural controls, enhanced monitoring, or interim measures, and the underlying engineering problem persists. The FDA has been explicit for years that this approach doesn’t work, and these letters reinforce that position in the strongest terms.

The key point here: If your water system has known dead-legs, persistent excursions, or a qualification study you approved despite failing data, the time to act is now.

Data integrity: from the lab bench to the garbage bag

The contract testing laboratory in India received the most damning findings of the three, and they go well beyond typical data integrity observations.

FDA investigators discovered two garbage bags containing torn analytical records. Chromatographic results, unidentified number lists, and impurity method validation spreadsheets with handwritten notes.

• For at least one method validation study, the official records contained only handwritten values, while the original data had been discarded in those garbage bags. The firm’s own SOPs prohibited exactly this: destroying records or instrument printouts and required filing such documents with original data for traceability.

• Lab staff were also using unofficial personal diaries to record procedures, analytical observations, results, method modifications, and deviation descriptions with no procedures to control or retain these records.

But it gets worse. At the start of the inspection, FDA investigators observed the firm attempting to remove the two garbage bags that were later determined to contain analytical documents. The firm also initially denied using internal audit forms that were later discovered in the microbiology lab manager’s office, and the manager told the FDA that senior management had instructed him not to share details about audits with the investigator.

The FDA (unsurprisingly) invoked Section 501(j), stating that the firm delayed or limited access to requested records during the inspection, causing the drug products it tested to be deemed adulterated. That’s always a significant escalation. It means every drug tested at that lab is now under a regulatory cloud, regardless of which client sent the samples.

Separately, the lab changed a TNTC (Too Numerous To Count) microbial result to a passing result in a revised test report, with no investigation or supporting documentation to justify the change. When confronted, the firm said the sample wasn’t for the U.S. market and that the customer had directed them not to investigate OOS results because the testing was “for informational purposes only.”

The FDA rejected both arguments outright. A quality agreement with a client does not supersede CGMP responsibilities. And the fact that the lab operates with a single set of procedures, equipment, and practices for all products tested means that integrity failures on non-U.S. work directly compromise the reliability of U.S. testing.

This is as clear a statement as the FDA has made recently on contract lab accountability. If you’re using a contract testing lab, the message is not complicated: their CGMP failures are your CGMP failures.

At the Illinois OTC facility, data integrity issues were less dramatic but still significant. The firm failed to contemporaneously record negative microbiology results. Blank entries were later auto-filled as zeros. During the inspection, the FDA found a plate that had been counted at 20 CFUs, then discarded without recording the result. The firm also couldn’t provide complete microbial sampling results from the water system, with data split across paper and electronic formats and some records simply missing.

FDA characterized this as “a significant risk of systematic underreporting of microbial findings.” That phrase — ”systematic underreporting” — is the kind of language that elevates a documentation deficiency into something much more consequential.

The lesson across both sites: The FDA is looking at your data practices holistically, not just checking whether individual test results are recorded correctly. If your systems allow data to be lost, discarded, unrecorded, or changed without justification, FDA will characterize it as a data integrity failure, and the remediation demands will be extensive.

The quality unit problem runs through everything

Across all three letters, FDA points to breakdowns in quality oversight. In two, that criticism is explicit and direct. In the other, it shows up through failures in review, investigation, maintenance, validation, and decision-making regarding contamination control.

• At the Illinois OTC site, the quality unit monitored water system data failures for 2 years without prompting meaningful action. Microbiology results were either unrecorded or discarded. The FDA demanded a comprehensive assessment and remediation plan to make sure the QU is given the authority and resources to effectively function.

• At the German sterile site, the quality unit relied on transcribed data rather than reviewing raw results. It allowed barrier integrity testing to proceed under acceptance criteria that permitted repeated failures. It didn’t force design-level CAPAs when investigations identified root causes in system design. It accepted decontamination validation results with routine BI positives for years.

• At the Indian contract lab, the quality unit failed to ensure CGMP records were retained. Records were literally in the trash. Deviations were documented on unofficial audit forms outside the QMS, with no CAPA tracking. Senior management instructed staff not to share information with FDA investigators. The QU’s entire framework for oversight had broken down.

In two cases here, the FDA explicitly demanded comprehensive remediation to make sure the quality unit has the authority and resources to function effectively. In the third, the FDA focused its remediation demands more heavily on design, maintenance, decontamination, and contamination-control failures, while still signaling broader quality-system weakness

This isn’t a new theme! But the consistency across three simultaneous letters from the same office makes it worth underscoring. The FDA views quality unit independence and authority as a prerequisite for everything else. If the QU can’t or won’t force action on failing data, flawed investigations, or known design deficiencies, then every other system downstream (validation, testing, release, stability) is compromised.

If your quality unit doesn’t have documented, exercised veto authority over batch release and CAPA closure, that’s the single highest-leverage fix you can make.

The FDA’s response-rejection language is getting sharper

One of the most striking features of these letters is how directly the FDA rejects the firms’ 483 responses. We used to see a lot of boilerplate language about this, but here the language is specific and, in several places, almost adversarial.

• At the Illinois OTC site, the FDA acknowledged the firm’s commitment to stop using the water system and purchase water in the interim. Then it said the response was inadequate because it didn’t address the quality unit’s “protracted insufficient action” in the face of a long-standing failure pattern. On the data integrity observations, the FDA said the response “lacks steps to systemically address your inadequate oversight of data integrity.”

• At the German sterile site, the FDA rejected multiple elements of the response. On the water system: “Your corrective actions fail to address the fundamental, self-identified design flaw.” On decontamination validation: “You failed to address multiple years of consistent recoveries of positive BIs.” On barrier integrity testing: “Your response calls into question the reliability of your testing program.” On fiber shedding: “Your response did not address your failure to evaluate particle generation in the replacement material when you implemented a change control.”

• At the Indian contract lab, the FDA rejected the firm’s claim that destroyed validation documents weren’t related to U.S. products by pointing out that the facility operates with a single set of procedures for all work. It rejected the claim that a client-directed testing arrangement superseded CGMP obligations. It called out the firm’s updated SOP for internal audits as allowing deficiency identification “outside of the Quality Management System without providing guidelines on when personnel must use the QMS framework.”

The message embedded in this language is clear: if your 483 response addresses the specific observation but not the systemic cause, the FDA will reject it, and the warning letter will be more demanding than the 483 was. Firms that treat 483 responses as a compliance checklist rather than an opportunity to demonstrate systemic understanding of their failures are setting themselves up for exactly this outcome.

The bigger signal in these letters

These three letters, issued on the same day from the same CDER office, share a common enforcement posture that goes beyond any individual finding. Let’s be precise:

• The FDA is evaluating whether firms understand the systemic nature of their problems; not just whether they’ve proposed a fix for each observation.

• Procedural CAPAs without design-level or structural remediation are being explicitly rejected.

• Quality unit authority and independence are threshold issues. If the FDA doesn’t see evidence that the QU can force action, everything else is suspect. It’s the seed of doubt.